[Fwknop-discuss] SELinux & fwknop

Does anyone have a (short) 360 on fwknop and SELinux? I got fwknop to
work on the server with SELinux in enforcing mode after the following
adjustment but I wonder if there is more to it?
chcon -v -R -t iptables_t /var/log/fwknop
There are still SELinux alerts caused by iptables - sockfs stuff.

Thread view

Does anyone have a (short) 360 on fwknop and SELinux? I got fwknop to
work on the server with SELinux in enforcing mode after the following
adjustment but I wonder if there is more to it?
chcon -v -R -t iptables_t /var/log/fwknop
There are still SELinux alerts caused by iptables - sockfs stuff.

On Jul 18, 2008, Jesper Engman wrote:
> Does anyone have a (short) 360 on fwknop and SELinux? I got fwknop to
> work on the server with SELinux in enforcing mode after the following
> adjustment but I wonder if there is more to it?
>
> chcon -v -R -t iptables_t /var/log/fwknop
>
> There are still SELinux alerts caused by iptables - sockfs stuff.
I don't have a comprehensive list of things to change in SELinux to
ensure that fwknopd functions correctly. Depending on how you configure
fwknopd, it could need to interface with GnuPG, so that might be an
extra wrinkle. Also, assuming that you are running in an SPA mode as
opposed to a port knocking mode, then fwknopd will need to sniff the
network (either promiscuously or not - see the ENABLE_PCAP_PROMISC
variable in /etc/fwknop/fwknop.conf), but it sounds like you already have
that working.
If you generate a set of SELinux rules for fwknop compatibility, and you
don't mind sharing, I would be happy to post the series of steps you
needed to perform on cipherdyne.org.
Thanks,
--
Michael Rash
http://www.cipherdyne.org/
Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F